IN THE CLAIMS : 

Please CANCEL claims 11-12 and 21-22 without prejudice or disclaimer. 
Please AMEND claims 1-5, 8, 10, 13-15, and 17-20 as follows. 
Please ADD claims 23-69 as follows. 

1 . (Currently Amended) A method , comprising: for authenticating a terminal 
in a communication syst e m, th e terminal comprising id e ntification m e ans for applying 
authentication functions to input data to form r e sponse data, and th e communication 
syst e m b e ing arranged to utilise a first authentication protocol for authentication of the 
t e rminal, wherein an authentication functionality and the terminal share challenge data, 
the terminal forms response data and a first key by applying the authentication functions 
to th e chall e ng e data by means of th e identification means, and r e turns th e r e spons e data 
to th e auth e ntication functionality, and th e auth e ntication functionality authenticat e s th e 
terminal by moans of the response data and can apply an authentication function to the 
challenge data to duplicat e the first key; the method comprising; 

executing a s e cond an authentication protocol^ wherein the terminal authentication 
protocol comprises auth e nticat e s th e 

authenticating an identity of a network entity and th e by a terminal in a 

communication system; 
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sharing a and the network entity shar e a s e cond key between the terminal 
and the network entity for use in securing subsequent communications between 
the terminal and the network entity;_and and subsequently 

executing a-thifd -another authentication protocol comprising bv the steps of: 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by at l e ast applying one of the an 
authentication function functions to the challenge data ; by means of th e 
id e ntification means; 

transmitting sending a message comprising terminal authentication 
data, from the terminal to the network entity; and 

determining^ based on the terminal authentication data^ whether to 
provide the terminal with access to a service^ 

wherein in— the determining step the terminal is provided comprises 
providing the terminal with access to the service only if -when the terminal 
authentication data equals a predetermined function of at least the test data and the 
s e cond key. 

2. (Currently Amended) A method as claimed in claim 1, wherein the method 
comprises: further comprising: 

forming the test data by applying the authentication function to the challenge data 
at the authentication functionality; and 
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transmitting sending the test data from the authentication functionality to the 
network entity^ 
m4 

wherein the determining step-comprises forming network authentication data by 
applying the predetermined function to the test data and the key at the network entity^ 
and 

wherein i n-the determining step -further comprises providing the terminal is 
provided with access to the service only if-when the terminal authentication data equals 
the network authentication data. 

3. (Currently Amended) A method as claimed in claim 1, wh e r e in the method 
comprises: further comprising: 

transmitting sending the s e cond key from the network entity to the authentication 
functionality; 

forming the test data by applying the authentication function to the challenge data 
at the authentication functionality; and 

forming network authentication data by applying the predetermined function to the 
test data and the key at the authentication functionality. 

4. (Currently Amended) A method as claimed in claim 3, further comprising: 
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transmitting sending the terminal authentication data from the network entity to 
the authentication functionality; and 

transmittin g sending, from the authentication functionality to the network entity^ an 
indication of whether the terminal authentication data equals the network authentication 
data A f 
and 

wherein in-the determining step -comprises providing the terminal is provided with 
access to the service only if -when the indication is that the terminal authentication data 
equals the network authentication data. 

5. (Currently Amended) A method as claimed in claim 3, further comprising: 
transmitting sending the network authentication data from the authentication 

functionality to the network entity^ 
and 

wherein in-the determining step -comprises providing the terminal is provided with 
access to the service only if -when the indication is that the terminal authentication data 
equals the network authentication data. 

6. (Previously Presented) A method as claimed in claim 1, wherein the 
terminal authentication data is formed as a cryptographic checksum. 
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7. (Previously Presented) A method as claimed in claim 1, wherein the 
network entity is co-located with the authentication functionality. 

8. (Currently Amended) A method as claimed in claim 1, wherein 
authentication moans is an identity module of the terminal is configured to perform the 
authentication function . 

9. (Original) A method as claimed in claim 8, wherein the identity module is 
user-removable from the terminal. 

10. (Currently Amended) A method as claimed in claim 8, wherein the identity 
module is a StM -subscriber identity module or a USI Muniversal subscriber identity 
module . 

11-12. (Cancelled) 

13. (Currently Amended) A method as claimed in claim 4-8, wherein the 
auth e ntication moans stor e s identity module is configured to store a code and the 
authentication function comprises applying a cryptographic transformation applied to the 
code and the input data. 
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14. (Currently Amended) A method as claimed in claim 1 ? wherein the s e cond 
authentication protocol is ike -one of a pre-internet key exchange credential provisioning 
protocolP tG, the PEAP a protected extensible authentication p rotocol, or the EAP TTLS 
an extensible authentication protocol -tunneled transport layer security . 

15. (Currently Amended) A method as claimed in claim 1, wherein the 
challenge data and the response data are formed according to the EAP an extensible 
authentication protocol. 

16. (Previously Presented) A method as claimed in claim 1 3 wherein the said 
message is a dedicated authentication message. 

17. (Currently Amended) A method as claimed in claim 1, wherein the 
predetermined function is used for derivation of a session key to be used for one of 
encryption and/or authentication of communications between the terminal and the 
network entity. 

18. (Currently Amended) A communication system., comprising! 

a terminal configured to apply authentication functions to input data to form 
response data: and 

a network entity configured to provide access to a service. 
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wherein the system is configured to perform an authentication method of executing an 
authentication protocol wherein the authentication protocol comprises 

authenticating an identity of the network entity by the terminal in the 
system; 

sharing a key between the terminal and the network entity for use in 
securing subsequent communications between the terminal and the network entity; 
and 

executing another authentication protocol comprising 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service; 

wherein the determining comprises providing the terminal with access to 
the service only when the terminal authentication data equals a predetermined 
function of at least the test data and the key. 

identification moans for applying authentication functions to input data to form 
r e sponse data, and the communication syst e m b e ing arrang e d to utilis e a first 
authentication protocol for authentication of the terminal, wherein an authentication 
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functionality and th e t e rminal shar e chall e ng e data, th e t e rminal forms r e spons e data and 
a first key by applying the auth e ntication functions to th e challenge data by means of the 
identification m e ans, and returns the response data to the authentication functionality, and 
th e authentication functionality authenticates the terminal by means of the response data 
and can apply an authentication function to the challeng e data to duplicate the first key; 
th e system being arranged to perform an authentication m e thod comprising the st e ps of: 
executing a s e cond authentication protocol wherein th e t e rminal authenticates th e identity 
of a n e twork e ntity and the terminal and th e n e twork e ntity shar e a s e cond k e y for us e in 
s e curing subsequent communications between the terminal and the network entity; and 
subs e quently executing a third authentication protocol by the steps of: 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by at least applying one of the authentication 

functions to the challenge data by m e ans of th e id e ntification m e ans; 

transmitting a messag e comprising terminal authentication data, from the terminal 

to the n e twork entity; 

and determining based on the terminal authentication data whether to provide the 

terminal with access to a service; 

wh e r e in in th e d e termining st e p the t e rminal is provid e d with access to the service 

only if the terminal authentication data is consistent with the network authentication data 
computed as a predet e rmined function of at least the test data and the second key. 
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19. (Currently Amended) A communication system as claimed in claim 1 8, 
wherein the system is further configured to execute a linking protocol by forming at the 
terminal secret session keys by at least applying a predetermined function to the test data 
using the shared key established in the another authentication protocol, and forming at 
the network entity secret session keys bv at least applying a predetermined function to the 
test data using the shared key established in the another authentication protocol. 

wherein the secret session keys are configured to secure the subsequent 
communications between the terminal and some network element, comprising 

a terminal, a network entity and an authentication functionality, the terminal 
comprising identification moans for applying an auth e ntication function to input data to 
form r e spons e data, and the communication system being arranged to utilis e a first 
authentication protocol wherein the terminal authenticates the identity of a network entity 
and th e t e rminal and the network e ntity share a k e y for us e in securing subs e qu e nt 
communications between the terminal and the network entity; and the communication 
system being arranged to perform an authentication method comprising the steps of: 
e x e cuting a second authentication protocol for authentication of the terminal, 

wherein an authentication functionality supplies challenge data to the terminal, the 
t e rminal forms response data and tost data by applying th e authentication function to the 
challenge data by moans of the identification moans, and r e turns tho response data to the 
authentication functionality, and the authentication functionality authenticates the 
t e rminal by moans of th e respons e data; and subsequently executing a third linking 
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protocol by th e st e ps of forming at th e terminal s e cr e t s e ssion k e ys by at l e ast applying a 
pr e determined function to tho secret tost data by moans of tho shared key establish e d in 
th e first protocol; forming at tho network entity secr e t s e ssion keys by at least applying a 
pr e d e t e rmin e d function to tho secr e t test data by m e ans of the shar e d k e y establish e d in 
th e first protocol; wh e rein in the socrot session k e ys ar e us e d to s e cur e th e subs e qu e nt 
communication between tho terminal and some network e l e ment. 

20. (Currently Amended) A an auth e ntication method as claimed in claim 1, 
further comprising: 

forming at the terminal secret session keys by at least applying a predetermined 
function to the test data using the shared key established in the another authentication 
protocol; and 

forming at the network entity secret session keys by at least applying a 
predetermined function to the test data using the shared key established in the another 
authentication protocol, 

wherein the secret session keys are configured to secure the subsequent 
communications between the terminal and a network element. 

for use in a communication system comprising a terminal, a network e ntity and an 
authentication functionality, the terminal comprising identification means for applying an 
authentication function to input data to form response data, and tho communication 
system being arranged to utilise a first authentication protocolwhoroin tho terminal 
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authenticates tho id e ntity of a network entity and tho terminal and tho network entity 
share a key for use in securing subsequent communications b e tween the terminal and th e 
n e twork e ntity; and tho authentication m e thod comprising tho stops of: e xecuting a 
s e cond authentication protocol — for authentication — of tho terminal, wh e rein an 
auth e ntication functionality supplies challenge data to tho terminal, tho terminal forms 
r e sponse data and tost data by applying tho authentication function to the challenge data 
by means of tho identification moans, and returns th e response data to tho authentication 
functionality, and tho authentication functionality authenticates tho terminal by moans of 
tho response data; and subsequently executing a third linking protocol by tho stops of 
forming at tho terminal secret session keys by at least applying a predetermined function 
to tho socrot tost data by moans of tho shared key established in tho first protocol; forming 
at tho network entity socrot session keys by at least applying a pr e determined function to 
th e socr o t test data by moans of tho shared koy establish e d in tho first protocol; whoroin in 
th e socrot session keys arc us e d to secure the subsequent communication botwoon tho 
t e rminal and some network element. 

21-22. (Cancelled) 

23. (New) A method as claimed in claim 1, further comprising: 
executing a third authentication protocol for authentication of the terminal 
comprising: 
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sharing between an authentication functionality and the challenge data; 

forming response data and another key at the terminal by applying the 
authentication function to the challenge data; 

sending the response data to the authentication functionality from the 
terminal; 

authenticating the terminal at the authentication functionality using the 
response data; and 

applying the authentication function to the challenge data to duplicate the 
another key. 

24. (New) A method as claimed in claim 23 , wherein the third authentication 
protocol is an authentication and key agreement protocol or any protocol of the extensible 
authentication protocol family. 

25. (New) A method as claimed in claim 24, wherein the test data comprises 
one or both of an authentication and key agreement protocol integrity key value or an 
authentication and key agreement protocol cipher key value. 

26. (New) A method, comprising: 

executing an authentication protocol, wherein the authentication protocol 
comprises 
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authenticating an identity of a network entity by a terminal in a 
communication system, and 

receiving a key at the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

receiving challenge data from the network entity at the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

receiving access to a service at the terminal following a 
determination of whether the terminal authentication data equals a 
predetermined function of at least the test data and the terminal key. 

27. (New) A method as claimed in claim 26, wherein the terminal 
authentication data is formed as a cryptographic checksum 



28. (New) A method as claimed in claim 26, wherein the network entity is co- 
located with the authentication functionality. 
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29. (New) A method as claimed in claim 26, wherein an identity module of the 
terminal is configured to perform the authentication function. 

30. (New) A method as claimed in claim 29, wherein the identity module is 
user-removable from the terminal. 

3 1 . (New) A method as claimed in claim 29, wherein the identity module is a 
subscriber identity module or a universal subscriber identity module. 

32. (New) A method as claimed in claim 29, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 

33. (New) A method as claimed in claim 26, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

34. (New) A method as claimed in claim 26, wherein the challenge data and 
the response data are formed according to an extensible authentication protocol. 
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35. (New) A method as claimed in claim 26, wherein the message is a 
dedicated authentication message. 

36. (New) A method, comprising: 

executing an authentication protocol, wherein the authentication protocol 
comprises 

sending an identity of a network entity for authentication by a terminal in a 
communication system; 

sending a key to the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

sending challenge data from the network entity to the terminal for 
forming test data at the terminal by applying an authentication function to 
the challenge data; 

receiving a message comprising terminal authentication data from 
the terminal at the network entity; 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service; and 

providing the terminal with access to the service only when the 
terminal authentication data equals a predetermined function of at least the 
test data and the key. 
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37. (New) A method as claimed in claim 36, wherein the terminal 
authentication data is formed as a cryptographic checksum. 

38. (New) A method as claimed in claim 36, wherein the network entity is co- 
located with the authentication functionality. 

39. (New) A method as claimed in claim 36, wherein an identity module of the 
terminal is configured to perform the authentication function. 

40. (New) A method as claimed in claim 39, wherein the identity module is 
user-removable from the terminal. 

41. (New) A method as claimed in claim 39, wherein the identity module is a 
subscriber identity module or a universal subscriber identity module. 

42. (New) A method as claimed in claim 39, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 
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43. (New) A method as claimed in claim 36, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

44. (New) A method as claimed in claim 36, wherein the challenge data and 
the response data are formed according to an extensible authentication protocol. 

45. (New) A method as claimed in claim 36, wherein the message is a 
dedicated authentication message. 

46. (New) A method as claimed in claim 36, wherein the predetermined 
function is used for derivation of a session key to be used for one of encryption or 
authentication of the subsequent communications between the terminal and the network 
entity. 

47. (New) An apparatus, comprising: 

a processor configured to apply an authentication function to input data to form 
response data, and to execute an authentication protocol, 
wherein the authentication protocol comprises 
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authenticating an identity of a network entity by a terminal in a 
communication system, and 

receiving a key at the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; 
wherein the processor is further configured to execute another authentication 
protocol comprising 

receiving challenge data from the network entity at the terminal; 

forming at the terminal test data by applying an authentication function to 
the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

receiving access to a service at the terminal following a determination of 
whether the terminal authentication data equals a predetermined function of at 
least the test data and the key. 

48. (New) An apparatus as claimed in claim 47, wherein the terminal 
authentication data is formed as a cryptographic checksum. 

49. (New) An apparatus as claimed in claim 47, wherein the network entity is 
co-located with the authentication functionality. 
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50. (New) An apparatus as claimed in claim 47, wherein an identity module of 
the terminal is configured to perform the authentication function. 

5 1 . (New) An apparatus as claimed in claim 50, wherein the identity module is 
user-removable from the terminal. 

52. (New) An apparatus as claimed in claim 50 5 wherein the identity module is 
a subscriber identity module or a universal subscriber identity module. 

53. (New) An apparatus as claimed in claim 50, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 

54. (New) An apparatus as claimed in claim 47, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

55. (New) An apparatus as claimed in claim 47, wherein the challenge data 
and the response data are formed according to an extensible authentication protocol. 



-21 - 



Application No.: 10/528,161 



56. (New) An apparatus as claimed in claim 47, wherein the message is a 
dedicated authentication message. 



57. (New) An apparatus, comprising: 

a processor configured to execute an authentication protocol, wherein the 
authentication protocol comprises 

sending an identity of a network entity for authentication by a terminal in a 
communication system; and 

sending a key to the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; 
wherein the processor is further configured to execute another authentication 
protocol comprising 

sending challenge data from the network entity to the terminal for forming 
test data at the terminal by applying an authentication function to the challenge 
data; 

receiving a message comprising terminal authentication data, from the 
terminal at the network entity; 

determining, based on the terminal authentication data, whether to provide 
the terminal with access to a service; and 
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providing the terminal with access to the service only when the terminal 
authentication data equals a predetermined function of at least the test data and the 
key. 

58. (New) An apparatus as claimed in claim 57, wherein the terminal 
authentication data is formed as a cryptographic checksum. 

59. (New) An apparatus as claimed in claim 57, wherein the network entity is 
co-located with the authentication functionality. 

60. (New) An apparatus as claimed in claim 57, wherein an identity module of 
the terminal is configured to perform the authentication function. 

6 1 . (New) An apparatus as claimed in claim 60, wherein the identity module is 
user-removable from the terminal. 

62. (New) An apparatus as claimed in claim 60, wherein the identity module is 
a subscriber identity module or a universal subscriber identity module. 
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63. (New) An apparatus as claimed in claim 60, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 

64. (New) An apparatus as claimed in claim 57, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

65. (New) An apparatus as claimed in claim 57, wherein the challenge data 
and the response data are formed according to an extensible authentication protocol. 

66. (New) An apparatus as claimed in claim 57, wherein the message is a 
dedicated authentication message. 

67. (New) A computer program product embodied on a computer readable 
storage medium, the computer program product being configured to control a processor 
to perform a method comprising: 

executing an authentication protocol, wherein the terminal authentication protocol 
comprises 
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authenticating an identity of a network entity by a terminal in a 
communication system; 

sharing a key between the terminal and the network entity for use in 
securing subsequent communications between the terminal and the network entity; 
and 

executing another authentication protocol comprising 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data, from the 
terminal to the network entity; and 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service, 

wherein the determining comprises providing the terminal with access to 
the service only when the terminal authentication data equals a predetermined 
function of at least the test data and the key. 

68. (New) A computer program product embodied on a computer readable 
storage medium, the computer program product being configured to control a processor 
to perform a method comprising: 
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executing an authentication protocol, wherein the authentication protocol 
comprises 

authenticating an identity of a network entity by a terminal in a 
communication system, and 

receiving a key at the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

receiving challenge data from the network entity at the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

receiving access to a service at the terminal following a 
determination of whether the terminal authentication data equals a 
predetermined function of at least the test data and the terminal key. 

69. (New) A computer program product embodied on a computer readable 
storage medium, the computer program product being configured to control a processor 
to perform a method comprising: 

executing an authentication protocol, wherein the authentication protocol 
comprises 
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sending an identity of a network entity for authentication by a terminal in a 
communication system; 

sending a key to the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

sending challenge data from the network entity to the terminal for 
forming test data at the terminal by applying an authentication function to 
the challenge data; 

receiving a message comprising terminal authentication data from 
the terminal at the network entity; 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service; and 

providing the terminal with access to the service only when the 
terminal authentication data equals a predetermined function of at least the 
test data and the key. 
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